Summary

In VaultRouterBranch -> when a withdraw is redeemed , at the end of the redeem function, there is a final check to ensure that the locked credit capacity is greater than the delta of the credit capacity.

This would mean that there is enough locked credit capacity to facilitate and handle the change in credit capacity that the withdraw being redeemed would impact.

However the check of the two values is wrong, the check is less than or equalbut should be greater than or equal

Vulnerability Details

The function calculates the credit capacity delta -> and then uses the operand .lte

.ltechecks that the first value is less than or equal to the subsequent value.

As is:

This goes against the intended functionality and checks that the credit capacity deltais less than or equal to the locked credit capacity. And reverts if the locked credit capacityis greater.

The locked credit capacitybeing greater than the delta is a good thing, and means that the withdraw being redeem should be completed because THERE IS ENOUGH credit capacity to facilitate it.

But, it will revert.

Impact

In redeem -> withdraws being redeemed will revert and fail if the locked credit capacityis greater than the delta, when it should succeed.

Subsequently, withdraws being redeemed will succeed when locked credit capacityis less than the delta, when it should fail -> because there is not enough credit capacity to facilitate and handle the withdraw.

The check as is implements the total opposite of the intended functionality, which is the ensure there is enough locked credit capacityto facilitate the withdraw. This as is, actual ensures that there is not enough locked credit capacityto facilitate the withdraw, and succeeds if so.

Tools Used

Manual Review

Recommendations

Change the check from .lteto -> .gte.